]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit
projects / mirror_ubuntu-bionic-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ba9944e) | patch
UBUNTU: SAUCE: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
authorAndy Whitcroft <apw@canonical.com>
Tue, 29 May 2018 13:38:27 +0000 (14:38 +0100)
committerJuerg Haefliger <juergh@canonical.com>
Wed, 6 Jun 2018 05:49:03 +0000 (07:49 +0200)
commit37c0e186811fd35548405939887d40fb67e2af0c
tree9f241b9673708285c89d3add3569ba7f09d8f8fdtree
parentba9944e914ed39fea77601c0166c9eed8f9ca85fcommit | diff
UBUNTU: SAUCE: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

The final field of a floppy_struct is the field "name", which is a pointer
to a string in kernel memory.  The kernel pointer should not be copied to
user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
including this "name" field.  This pointer cannot be used by the user
and it will leak a kernel address to user-space, which will reveal the
location of kernel code and data and undermine KASLR protection.

Model this code after the compat ioctl which copies the returned data
to a previously cleared temporary structure on the stack (excluding the
name pointer) and copy out to userspace from there.  As we already have
an inparam union with an appropriate member and that memory is already
cleared even for read only calls make use of that as a temporary store.

Based on an initial patch by Brian Belleville.

CVE-2018-7755
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
drivers/block/floppy.c diff | blob | blame | history
ubuntu-bionic-kernel mirror